November 05, 2021

Current and former directors of information technology company SolarWinds have been hit with a stockholder derivative suit in Delaware's Chancery Court over claims they were at fault for the massive hack and data breach that affected governments and private businesses around the globe last year.

The complaint filed by shareholders Thursday states the suit is in response to the directors' "utter failure to implement or oversee any reasonable monitoring system concerning … cybersecurity risks fundamental to SolarWinds' only line of business."

These failures, the shareholders claim, led to one of the most devastating cyberattacks in U.S. history, which has since been dubbed "Sunburst."

SolarWinds, headquartered in Austin, Texas, develops software for businesses to help manage their networks, systems, and information technology infrastructure. According to the complaint, its signature Orion Platform is "virtually ubiquitous in business and government in the United States and globally."

The company has approximately 300,000 clients, including most Fortune 500 companies and most of the United States' top government agencies, such as the Department of Defense, the Federal Bureau of Investigation and the National Nuclear Security Administration, among others, all of which represent government contracts upwards of $230 million.

According to the complaint, SolarWinds software depends on access to clients' IT systems. This level of access not only makes the software a unique target for hackers, but is also what led to Sunburst, the complaint states.

In December 2020, SolarWinds announced that it had learned of a cybersecurity incident — now believed to have been carried out by Russia's Foreign Intelligence Service — that attacked approximately 18,000 clients by hiding malware code in SolarWinds' Orion software.

"Although the full extent of the Sunburst hackers' access to SolarWinds' clients' IT systems is not publicly known, it is clear that the attackers have been able to steal extensive proprietary information, confidential emails, and intellectual property from some of America's most sensitive government agencies and private businesses," the complaint states.

The shareholders allege the company's directors were warned extensively before the attack about heightened risks of cyberattacks and deficiencies in SolarWinds "that defied elementary cybersecurity standards for any modern company."

. . .

The shareholders are represented by Chad Johnson, Noam Mandel, Desiree Cummings, Jonathan Zweig and Sarah Delaney of Robbins Geller Rudman & Dowd LLP; Thomas Curry and Tayler D. Bolton of Saxena White PA; Michael J. Barry and Vivek Upadhya of Grant & Eisenhofer PA; Jeremy S. Friedman and David Tejtel of Friedman Oster & Tejtel PLLC; D. Seamus Kaskela of Kaskela Law LLC; and Julie Goldsmith Reiser, Richard A. Speirs and Amy Miller of Cohen Milstein Sellers & Toll PLLC.

The complete article can be accessed here.